New variant of Conficker worm detected

Rik Ferguson, senior security advisor at Trend Micro, claimed that the ‘E' variant of the downadup worm has been detected by Trend Micro labs, that are now using a previously-established P2P network to contact and network with other infected machines.

Ferguson claimed that using P2P, it infects machines that reach out to other machines in order to build a network of infected machines. It is building slowly and organically, and this demonstrates that it is coming of age.

Ferguson said: “For April 1, the world media focused the HTTP botnet attacks, but the P2P is more based on affected data and the controllers can slip an update into the P2P file share. It is completely decentralised and launched from the success of the more mainstream P2P network.

“It reintroduces a propagation technique in that it tries to use the Microsoft vulnerability that is switched off, that it is based on. It will try to connect to the domain name to see if there is an internet connection, and will then connect to an IP address, if there is no connection then it will connect to local IP addresses.”

He further claimed that although it is early days in terms of analysis, there appears to be a link between Downadup/Conficker and the Storm and Waledac worms.

Ferguson said: “The server that it is trying to connect to appears to be the same one that has been used by the Waledac worm, and there has been a suspicion that the same people behind Waledac were behind the Storm virus, there is a server in common and it points to a link between all three – Storm, Waledac and Conficker.”